OLAF Personal Data Processing Operations and Privacy Statements

Article 25 of the Data Protection Regulation requires every controller to give prior notice (that is, before the processing operation begins) to the DPO, and spells out a number of items of information which must be included in the notification. At OLAF, notifications are made through the use of the "Notice to the Data Protection Officer & Register" IT application, which may be accessed through the OLAF Intranet.

Article 26 of the Regulation requires the DPO to keep a Register of all processing operations notified to him/her. The register may be inspected by any person directly or indirectly through the EDPS. The public version of OLAF's Register, which does not contain any information about measures taken to ensure security of processing, may be accessed through the OLAF Europa site. Each OLAF notification has a "privacy statement" attached, which sets forth all information about the processing operation that must be provided to the data subjects concerned.

Article 27 of the Regulation requires the DPO to send the notifications presenting specific risks, as defined therein, to the EDPS for prior checking. The EDPS issues an opinion on each processing operation subject to prior checking, which are published on the EDPS website.

For convenience, the privacy statements and, where applicable, EDPS prior checking opinions for each of OLAF's processing operations may be accessed by clicking the links above.

Pursuant to Article 4(1)(e) of Regulation 45/2001, personal data must be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed." The retention periods for each of OLAF's processing operations are set forth in the respective notifications. A table, prepared in November 2013, lists the retention periods for all OLAF processing operations as set forth in the notifications.